Consul
Secure network access north/south
This topic provides an overview of the Consul components that securely allow systems outside the service mesh to access services inside the mesh. Network traffic that connects services inside the mesh to external clients or services is referred to as north-south traffic.
For information about intra-mesh, or east-west traffic in your service mesh, refer to Expand network east/west overview.
Introduction
You can define points of ingress to the service mesh using either API gateways or ingress gateways. These gateways allow external network clients to access applications and services running in a Consul datacenter.
API gateways forward requests from clients to specific destinations based on path or request protocol. Ingress gateways are Consul's legacy capability for ingress. We recommend using API gateways instead of ingress gateways.
API gateways
API gateways enable external network clients to securely access applications and services running in a Consul datacenter. Consul API gateways can also forward requests from clients to specific destinations in the service mesh based on request's path or protocol.
To enable an API gateway, you must configure the gateway, its listeners, and its routes. Refer to API gateway overview for more about deploying API gateways to your Consul service mesh.
Ingress gateways
Ingress gateways listen for external requests and route authorized traffic to instances in the service mesh. They provide one-way traffic from external sources to services in the mesh. If you want to enable traffic from services in the mesh to external destinations, then you must also configure a terminating gateway, which is a separate component that requires additional configuration and maintenance.
Ingress gateways are deprecated. Use Consul API gateways to secure service mesh ingress instead.
Refer to Ingress gateway overview for additional information about deploying ingress gateways to your Consul service mesh.
Terminating gateways
Terminating gateways handle requests from services in the network for external services running on external nodes. They act as service mesh proxies that can services in the Consul catalog. These gateways terminate service mesh mTLS connections, enforce service intentions, and forward requests to the appropriate destination.
Terminating gateways are deprecated. Use Consul API gateways instead.
Refer to Terminating gateways for more information about how to deploy terminating gateways to your Consul service mesh.
Guidance
Refer to the following topics for information about deploying API and ingress gateways: